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Abstract 

This paper illustrates using Markov models to 
establish system and maintenance requirements for 
small electronic controllers where the goal is a high 
probability of continuous service for a long period 
of time. The system and maintenance items 
considered are quality of components, various 
degrees of simple redundancy, redundancy with 
reconfiguration, diagnostic levels, periodic 
maintenance, and preventive maintenance. Markov 
models permit a quantitative investigation with 
comparison and contrast. An element of special 
interest is the use of conditional probability to study 
the combination of imperfect diagnostics and 
periodic maintenance. 

Introduction 

The objective is to determine the system and 
maintenance requirements for a small electronic 
controller. The scenario is that the controller, 
except for some small downtime for maintenance, is 
to operate continuously for ten years. We wish the 
probability of failure to be less than 0.01 during this 
operating period. Periodic maintenance is assumed 
available. 

The original motivation for this study was 
process-control of equipment for the ground control 
of aircraft. The study, however, applies to most 
transportation and manufacturing systems. It does 
not apply to long-duration space missions where 
periodic maintenance is not available. 

When the requirement of reliable and 
continuous operation cannot be met by a single 
component, the architecture can use several 
working components configured in such a manner 
that the good components, up to a point, can handle 
the operation despite, and in the presence of, the 
failed components. In some systems of this type, 
too many failed components in the system can 
overwhelm or place too heavy a burden on the good 
components. 


One response to the accumulation of failed 
components is to have the system itself remove 
them — reconfiguration. A reconfigurable system, 
however, demands a trade-off. It is more efficient 
in terms of component use, but it is more complex 
and more vulnerable in terms of system design. For 
instance, we do not want the reconfiguration 
algorithm to remove good components. 

A requirement of a long period of operation 
can include maintenance to keep the original system 
a moderate size. There is on-demand and periodic 
maintenance. This study considers periodic 
maintenance. The assumption is that there are 
many systems at a facility or group of facilities, and 
a periodic tour of maintenance personnel is more 
efficient and easier to plan than emergency calls at 
random failure times. Part of system design is a 
high probability of surviving between maintenance 
checks. 

For equipment with an exponential 
(memoryless) failure distribution, such as electronic 
components, there is no gain in replacing the 
equipment until it has failed. Hence, the periodic 
maintenance sweep only replaces components 
detected as faulty. Obviously, failure detection, the 
diagnostic level, is important. 

Even though the individual components of a 
system do not age, the system can be regarded as 
ageing if failed components accumulate because of 
imperfect diagnostics. A possible strategy in the 
presence of imperfect diagnostics is preventative 
maintenance: on a regular basis, the entire system is 
replaced with a new system. This effectively 
breaks the long operating period into a sequence of 
short operating periods. 

A basic element is component quality, and a 
general result in the field is that it is hard to drive 
system reliability beyond the mean-time-to-failure 
of the components. The final results will reflect this 
as two different component qualities are examined: 
one with mean-time-to-failure less than the 
operating period and one with mean-time-to-failure 
greater than the operating period. 



The analysis considers two component failure 
rates le-4 per hour and le-5 per hour. It considers 
four architectures: a threeplex, a double-dual, a 
reconfigurable fourplex, and a nonreconfigurable 
fiveplex. It considers diagnostic levels of 0.9, 0.99, 
0.999, and 1.00. It looks at daily, weekly, monthly, 
and yearly periodic maintenance that replaces 
components detected as faulty. It considers 
preventive maintenance with intervals 1 year, 2 
years, and 5 years. 

A problem is presentation of data. The tables 
of results can either be included in the sections 
which describe each system which means flipping 
pages to compare systems, or the tables can be 
collected in one section which permits easy 
comparison of the systems but separates the results 
from the description of each system. This paper 
chooses to group the tables together on the basis 
that system description (the difference between a 
fourplex and a fiveplex, for example) is easy to 
remember. 

Three of the systems below use majority- 
voting to detect faulty components: the three-plex, 
the reconfigurable fourplex, and the non- 
reconfigurable fiveplex. The double-dual uses 
comparison where a dual unit removes itself from 
the system when its two units disagree. 

In this study, there is no explicit modeling of 
built-in-tests or external diagnostic equipment. 


Modeling Maintenance 

The behavior of a Markov model is described 
by a set of simultaneous differential equations. 

Suppose the coefficient matrix for a set of 
differential equations is A, and if the initial 
conditions (the initial probabilities of being in the n 
states of the model) at time T are 


P(T) 


P,(T) 

p 2 (t) 


Pn(T) 


( 1 ) 


p' = Ap 


at time T+x is 


p(T + r) = e Ar p(T) 


which gives the probabilities of being in the n 
states at time T+x. 

Modeling regular maintenance is handled by 
considering the conditional probability of being in 
all the states. Suppose the probability of being in 
state j at time T is pj (T). Let ej be the column 
vector with 1 in row j and zero elsewhere. The 
probability of being in any state at time T+x given 
we are in state j at time T is 

p(T + r)= e Ar ej (4) 

The probability of being in any state can be 
expressed by considering the sum over a disjoint 
union of sets. 


P ( T + T ) = Z p { j} p ( in P ( T + r) | state j} 

1 

= Pi (T) e Ar e, 

+ P 2 (T)e Ar e 2 
+ ... 

+ p n (T)e Ar e n 


= e 


At 


Pl(T) 

p 2 (T) 


Pn CO. 


( 5 ) 


then the solution to 


For instance, if maintenance is daily, x=24 
hours. Solve the model for the first day given all 



components are good. Adjust the initial conditions 
for the second day by replacing all the detected 
failed components. For ten years, do this 3,650 
times. 

Preventive maintenance replaces the old 
system with a new system where all components are 
good. Suppose there are k preventive maintenance 
intervals of equal length for the overall operating 
period. Suppose Q is the probability the system 
fails during a preventive maintenance interval. The 
probability of system failure P for the overall 
operating period is 

P = l-(l-Q) k (6) 


Figures and Equations for the Models 

Throughout this section, k is the component 
failure rate, D is the diagnostic level (the 
probability a fault is detected), and 8 the recovery 
rate for the reconfigurable fourplex. 

The model for a non-reconfigurable threeplex 
is given in figure 1 . The system begins in state 1 
with all components good. There is a transition at 
rate 3k to a state representing one component 
failed — to state 3 if the component is detected as 
faulty and to state 2 otherwise. The occurrence of a 
second fault at rate 2k can overwhelm or confuse 
the majority voter, and the system transitions to the 
failed state F. 



Figure 1. Markov Model Of A Threeplex 

The differential equations for the model in 
figure 1 are 


p( =~3Ap l 

=3/l(l-D)p 1 -(2/t + /tD)p 0 

p 3 =3/tDp 1 +AD p 0 -2/lp 3 

F / = 2/tp 0 +2/tp 3 

The initial conditions at time 0 are 

Pi =1 

p 2 =p 3 =F =0 

At regular maintenance, all components 
identified as faulty are replaced by good 
components. The initial conditions for the 
beginning of the next operating period are 

Pi =Pl +P 3 

P 2 =P 2 ( 9 ) 

p 3 =0 

F = F 

For a double-dual, a decision needs to be made 
on how to model two undetected faults in the same 
dual. 

The pessimistic view is that if the faults 
manifest themselves simultaneously, then they will 
produce the same incorrect result in which case the 
dual believes itself correct. The system, however, 
has two duals that disagree which is a failure. 

The pessimistic model is given in figure 2 



Figure 2. Pessimistic Model Of A Double- 
Dual 



In figure 2, the transition from state 1 to state 2 
represents the occurrence of a detectable fault while 
the transition to state 3 represents the occurrence of 
an undetectable fault. In states 2 and 3, the system 
has a single good dual, and a failure in this dual is 
system failure. The transition from state 3 to state 2 
represents the occurrence of a detectable fault in the 
dual that has an undetectable fault. In state 2, the 
failed dual can be replaced during maintenance. 

The equations for the pessimistic model of the 
double dual are: 

p( = 

P 2 = 4/1(1 - D)p| 

- (2 A D+2A + A(\- D))p 2 

p 3 =4/1 Dpj +2/lDp 0 -2/tp 3 

F 7 =(2/l + A(l-£)))p 2 +2/tp 3 (10) 

The initial conditions at time 0 are 

Pi =1 

P 2 =P 3 = F =0 C 11 ) 

At regular maintenance, all components 
identified as faulty are replaced by good 
components. The initial conditions for the 
beginning of the next operating period are 

Pi =Pi +P 3 
P 2 =P2 

p 3 =0 (12) 

F = F 

The optimistic point of view is that if the faults 
manifest themselves simultaneously, then they will 
produce different incorrect results and the faulty 
dual can be identified as faulty. The optimistic 
model is given in figure 3. 


4XD 2k 

1 ► 2 ►F 



Figure 3. Optimistic Model Of A Double-Dual 

In figure 3, the system moves from state 1 to 
state 2 or 3 according as the fault is detectable or 
undetectable. In both 2 and 3, the system fails if the 
other dual collects a fault. The system moves from 
state 3 to state 2 if the dual with an undetectable 
fault collects a detectable fault. The system moves 
from state 3 to state 4 if the non-faulty component 
in the faulty dual collects an undetectable fault. In 
state 4, the system moves to state 2 if a component 
in the faulty dual collects a detectable fault, and it 
moves to the failed state if a component in the non- 
faulty dual becomes faulty. 

The equations for the optimistic model of the 
double dual are: 

p( = -4Ap { 

p^ = 4 A Dpj -2/tp 0 +2/tDp 3 +2/lDp 4 
p 7 = 42,(1 -D)p 1 -(2AD + A(l-D)+2^)p 
p , 4 =A(l-D)p 3 ~(2AD + 2A)p 4 (13) 

F 7 =2/tp 0 +2/tp 3 +2Ap 4 

The initial conditions at time 0 are 1 for the 
initial state and zero for the rest. 

At regular maintenance, all components 
identified as faulty are replaced by good 
components. The initial conditions for the 
beginning of the next operating period are 



(14) 


Pi =Pi +P 2 

p 2 =° 

P 3 =P3 

P 4 = P 4 

F = F 

For the double-dual, the question is what 
percentage of faults requires the pessimistic model 
as opposed to the optimistic model. The answer is 
based on experiments which are expensive, and 
these experiments will be conducted only if the 
reliability results from the two models differ 
significantly. 

The figure for a reconfigurable fourplex is 
given in figure 4. 



Figure 4. Model Of A Reconfigurable Fourplex 


p( = “4/lpj 

p' 2 =4/l(l-D)p 1 -(3/L + AD)p 2 
p 3 =4/tDp 1 + ADp n -(3/l + j)p 3 
P 4 =^P 3 -3/lp 4 (15) 

P5 =3/l(l-D)p 1 -2Ap 5 
Pg =3ADp 4 +ADp 5 -(2/L + AD) p 6 
F / = 3/1 p 0 +3/1 p 3 +2/lp 5 +2/lp 6 
The initial conditions at time 0 are 

Pi =1 

P 2 =P 3 =P 4 =P 5 =P6 =0 ( 16 ) 

F = 0 

When regular maintenance is performed all 
components identified as faulty are replaced by 
good components. The initial conditions for the 
next operating period are 

Pi =Pi +P 3 +P 4 +P 6 
P 2 =P 2 +P 5 (17) 

P 3 =P 4 =P5=P 6 = 0 

F = F 


The differential equations are 



The model for a fiveplex is given in figure 5. 

31 




Figure 5. Markov Model For A Fiveplex 

The Differential equations for the fiveplex in 
figure 5 are 

p( = -5Ap l 

p' 2 =5A(l-D)p 1 -(4A + 2AD)p 2 
p 3 =4/l(l-D)p 9 -(3/l + AZ))p 3 
P 4 = 4/tDp 0 +2/lDp 3 +4/l(l-D)p 5 
- (3/1 + AZ))p 4 (18) 

P 5 =5/lDp 1 + /l£)p 0 -4/lp 5 
Pg =^Dp 4 +41Dp s -3A p 6 
F / =3/1 p 3 +3/1 p 4 +3/lp 6 
The initial conditions at time zero are 
Pi =1 

P2=P 3 = P4 = P5=P6 =0 

F = 0 


When regular maintenance is performed all 
components identified as faulty are replaced by 
good components. The initial conditions for the 
next operating period are 

Pi =Pi +P 5 +P 6 

P 2 =P 2 +P4 

p 3 =p 3 (20) 

P 4 =P 5 =P 6 = 0 

F = F 

Tables for Regular Maintenance 

In the tables below, bold (and blue if color 
appears in this version) print indicates the entries 
that meet the requirement of less than a 0.01 chance 
of failure during the ten-year operating period. 

The first six tables give the probability of 
failure during the ten year operating period for the 
four systems where the component failure rate is 
le-4 per hour. 


Table 1. Threeplex; X = le-4/hr 


Diagnostic 
Maint Per 

1.0 

0.999 

0.99 

0.9 

1 day 

6.1e-2 

7.6e-2 

2.1e-l 

8.2e-l 

7 days 

3.5e-l 

3.6e-l 

4.5e-l 

8.7e-l 

30 days 

8.2e-l 

8.2e-l 

8.4e-l 

9.5e-l 

365 days 

9.9e-l 

9.9e-l 

9.9e-l 

9.9e-l 

Table 2. Pessimists 
X = le-4 

c Double-Dual; 
1/hr 

Diagnostic 
Maint Per 

1.0 

0.999 

0.99 

0.9 

1 day 

8.0e-2 

9.6e-2 

8.4e-l 

8.4e-l 

7 days 

4.3e-l 

4.4e-l 

8.9e-l 

8.9e-l 

30 days 

8.9e-l 

8.9e-l 

9.7e-l 

9.7e-l 

365 days 

1.0 

1.0 

1.0 

1.0 


( 19 ) 




Table 3. Optimistic Double-Dual; 




k = le-4 

1/hr 


Diagnostic 

Maint 

Period 

1.0 

0.999 

0.99 

0.9 

1 day 

8.0e-2 

9,6e-2 

2.2e-l 

8.3e-l 

7 days 

4.3e-l 

4.4e-l 

5.2e-l 

8.9e-l 

30 days 

8.9e-l 

8.9e-l 

9.0e-l 

9.7e-l 

365 days 

1.0 

1.0 

1.0 

1.0 


Table 4: Fourplex; I=le-4/hr; 8=1000/hr 


Diagnostic 
Maint Per 

1.0 

0.999 

0.99 

0.9 

1 day 

2. le-4 

2.5e-2 

2.3e-l 

9.2e-l 

7 days 

9.5e-3 

3.4e-2 

2.3e-l 

9.2e-l 

30 days 

1.4e-l 

1.6e-l 

3.3e-l 

9.3e-l 

365 days 

9.9e-l 

9.9e-l 

9.9e-l 

9.9e-l 


Table 5: Fourplex; X=le-4/hr; 8= 10,000/hr 


Diagnostic 
Maint Per 

1.0 

0.999 

0.99 

0.9 

1 day 

2.0e-4 

2.5e-2 

2.2e-l 

9.2e-l 

7 days 

9.5e-3 

3.4e-2 

2.3e-l 

9.2e-l 

30 days 

1 ,4e- 1 

1.6e-l 

3.3e-l 

9.3e-l 

365 days 

9.9e-l 

9.9e-l 

9.9e-l 

9.9e-l 


Table 6. Fiveplex; k =le-4/hr 


Diagnostic 
Maint Per 

1.0 

0.999 

0.99 

0.9 

1 day 

5.0e-4 

l.le-3 

1.4e-2 

4.7e-l 

7 days 

2.3e-2 

2.6e-2 

6.1e-2 

5.5e-l 

30 days 

3.e-l 

3. le-1 

3.7e-l 

7.7e-l 

365 days 

9.9e-l 

9.9e-l 

9.9e-l 

9.9e-l 


The next six tables give the probability of 
failure during with a failure rate of 1 e-5 per hour. 


Table 7. Threeplex; k =le-5/hr 


Diagnostic 
Maint Per 

1.0 

0.999 

0.99 

0.9 

1 day 

6.3e-4 

1.8e-3 

1.2e-2 

1.0e-l 

7 days 

4.4e-3 

5.6e-3 

1.6e-2 

l.le-1 

30 days 

1.8e-2 

1.9e-2 

2.9e-2 

1.2e-l 

365 days 

1.8e-l 

1.9e-l 

1.8e-l 

2.4e-l 


Table 8. Pessimistic Double-Dual; 


k =le-5/hr 


Diagnostic 
Maint Per 

1.0 

0.999 

0.99 

0.9 

1 day 

8.4e-4 

2.1e-3 

1.3e-2 

1.2e-l 

7 days 

5.8e-3 

7.1e-3 

1.8e-2 

1.3e-l 

30 days 

2.4e-2 

2.5e-2 

3.6e-2 

1.4e-l 

365 days 

2.3e-l 

2.3e-l 

2.4e-l 

2.9e-l 


Table 9. Optimistic Double-Dual; k =le-5/hr 


Diagnostic 
Maint Per 

1.0 

0.999 

0.99 

0.9 

1 day 

8.4e-4 

2.1e-3 

1.3e-2 

1.2e-l 

7 days 

5.8e-3 

7.1e-3 

1.8e-2 

1.2e-l 

30 days 

2.4e-2 

2.5e-2 

3.6e-2 

1.3e-l 

365 days 

2.3e-l 

2.3e-l 

2.4e-l 

2.9e-l 


Table 10. Fourplex; k =le-5/hr; 5=1000/hr 


Diagnostic 
Maint Per 

1.0 

0.999 

0.99 

0 

.9 

1 day 

3.1e-7 

1.9e-3 

1.8e-2 

1.7e-l 

7 days 

9.9e-6 

1.9e-3 

1.9e-2 

1.7e-l 

30 days 

1.8e-4 

2.1e-3 

1.9e-2 

1.7e-l 

365 days 

2.2e-2 

2.4e-2 

3.9e-2 

1.8e-l 


Table 11. Fourplex; k=le-5/hr; 5=10, 000/hr 


Diagnostic 

1.0 

0.999 

0.99 

0.9 

Maint Per 





1 day 

2.1e-7 

1.8e-3 

1.8e-2 

1.7e-l 

7 days 

9.8e-6 

1.9e-3 

1.8e-2 

1.7e-l 

30 days 

1.7e-4 

2.1e-3 

1.9e-2 

1.7e-l 

365 days 

2.2e-2 

2.4e-2 

3.9e-2 

1.7e-l 


Table 12. Fiveplex; k =le-5/hr 


Diag 

1.0 

0.999 

0.99 

0.9 

Maint Per 





1 day 

5.0e-7 

4.9e-6 

2.5e-4 

2.1e-2 

7 days 

2.4e-5 

4.1e-5 

3.9e-4 

2.1e-2 

30 days 

4.4e-4 

5.0e-4 

1.2e-3 

2.5e-2 

365 day 

5.1e-2 

5.1e-2 

5.4e-2 

9.7e-2 


Discussion of Results for Regular 
Maintenance 

For the systems where the component failure 
rate is 1 e-4 per hour, the results are dismal. It is 
difficult to overcome the liability of expected 
component life-time being much smaller than 
system operating time. 

Neither the threeplex nor the double-duals 
have successful entries. Both cases of the fourplex 
have two successful entries, but these entries 
require a 1 00% diagnostic level. A faster recovery 
rate makes little contribution. The fiveplex has two 
successful entries. The entries require 100% and 


99.9% diagnostics. Both require daily regular 
maintenance. 

The results for the pessimistic and optimistic 
models of the double-dual are nearly the same, 
indicating that the pessimistic model can be used 
and there is no reason for additional experiments to 
decide between the two models. 

The last four tables in the previous section give 
the results where the component failure rate is 1 e-5 
per hour. 

All the architectures have successful entries for 
this component failure rate. 

For the threeplex, the diagnostic level can drop 
to 99.9%, and the regular-maintenance schedule can 
be reduced to weekly. The same is true for the 
double-dual. For the fourplexes, the diagnostic 
level can drop to 99.9%. Once again, a faster 
recovery has only a small effect, but the 
reconfiguration makes the system more efficient in 
with respect to hardware, and the regular- 
maintenance schedule can be reduced to monthly. 
For the fiveplex, the diagnostic level can drop to 
99% and the regular-maintenance schedule can be 
reduced to monthly. 

The drop in diagnostic requirement for the 
fiveplex is the significant result. A high diagnostic 
level requires a careful and stringent design. 

For these systems, the most important factor is 
failure rate of the components. 


Tables for Preventive Maintenance 

This section presents the results when the old 
system is replaced by a new system on a periodic 
basis — preventive maintenance. As before, the 
tables give the probability of system failure during 
the ten year operating period. 

The tables do not list the results for a 
diagnostic level of 100% since in this case, because 
the components are not wearing out, regular 
maintenance yields a system as good-as-new, and 
hence, it is equivalent to preventive maintenance. 

For these systems, there is no regular 
maintenance at a one year interval since such 
regular maintenance would come close to the 
preventive maintenance schedule. 


Italics (and blue if this version supports color) 
indicate the entries where the system met the 
reliability requirement without preventive 
maintenance. Bold ( and magenta if this version 
supports color) indicates the entries where 
preventive maintenance extends the system 
reliability. The first six tables consider systems 
with a component failure rate of le-4 per hour; the 
second six tables consider systems with a 
component failure rate of 1 e-5 per hour. 

Once again, there are no entries for a 
diagnostic level of 1.0 since regular maintenance is 
equivalent to preventative maintenance in this case. 


Table 13. Threeplex; ^=le-4/hour 


Diag 

Level 

Regular 

Maint 

Period 

System 
replaced 
every 
1 year 

System 
replaced 
every 
2 years 

System 
replaced 
every 
5 years 

0.999 

1 day 

7.1e-2 

7.4e-2 

7.5e-2 

0.999 

7 days 

3.5e-l 

3.5e-l 

3.5e-l 

0.999 

30 days 

8.1e-l 

8.1e-l 

8.1e-l 






0.99 

1 day 

1.6e-l 

1.8e-l 

2.0e-l 

0.99 

7 days 

4.1e-l 

4.2e-l 

4.4e-l 

0.99 

30 days 

8.2e-l 

8.3e-l 

8.4e-l 






0.9 

1 day 

6.9e-l 

7.6e-l 

8.1e-l 

0.9 

7 days 

7.7e-l 

8.2e-l 

8.6e-l 

0.9 

30 days 

9.1e-l 

9.3e-l 

9.5e-l 


Table 14. Pessimistic Double-Dual; k =le-4/hour 


Diag 

Level 

Regular 

Maint 

Period 

System 
replaced 
every 
1 year 

System 
replaced 
every 
2 years 

System 
replaced 
every 
5 years 

0.999 

1 day 

9.2e-2 

9.4e-2 

9.5e-2 

0.999 

7 days 

4.4e-l 

4.4e-l 

4.4e-l 

0.999 

30 days 

8.9e-l 

8.9e-l 

8.9e-l 






0.99 

1 day 

1.9e-l 

2.1e-l 

2.2e-l 

0.99 

7 days 

5.0e-l 

5.1e-l 

5.2e-l 

0.99 

30 days 

9.0e-l 

9.0e-l 

9.0e-l 






0.9 

1 day 

7.5e-l 

8.0e-l 

8.3e-l 

0.9 

7 days 

8.3e-l 

8.8e-l 

8.8e-l 

0.9 

30 days 

9.5e-l 

9.6e-l 

9.7e-l 


Table 15. Optimistic Double-Dual; I=le-4/hour 


Diag 

Level 

Regular 

Maint 

Period 

System 
replaced 
every 
1 year 

System 
replaced 
every 
2 years 

System 
replaced 
every 
5 years 

0.999 

1 day 

9.2e-2 

9.4e-2 

9.5e-2 

0.999 

7 days 

4.4e-l 

4.4e-l 

4.4e-l 

0.999 

30 days 

8.9e-l 

8.9e-l 

8.9e-l 






0.99 

1 day 

1.9e-l 

2.1e-l 

2.2e-l 

0.99 

7 days 

5.0e-l 

5.1e-l 

5.2e-l 

0.99 

30 days 

9.0e-l 

9.0e-l 

9.0e-l 






0.9 

1 day 

7.3e-l 

7.9e-l 

8.2e-l 

0.9 

7 days 

8.2e-l 

8.6e-l 

8.8e-l 

0.9 

30 days 

9.5e-l 

9.6e-l 

9.7e-l 






Table 18. Fiveplex; /.= le-4/hour 


Table 16. Fourplex; X=le-4/hour; 5=1000/hour 


Diag 

Level 

Regular 

Maint 

Period 

System 
replaced 
every 
1 year 

System 
replaced 
every 
2 years 

System 
replaced 
every 
5 years 

0.999 

1 day 

1.9e-2 

2.2e-2 

2.4e-2 

0.999 

7 days 

2.7e-2 

3.1e-2 

3.3e-2 

0.999 

30 days 

1.5e-l 

1.5e-l 

1.6e-l 






0.99 

1 day 

1.7e-l 

2.0e-l 

2.1e-l 

0.99 

7 days 

1.7e-l 

2.0e-l 

2.2e-l 

0.99 

30 days 

2.8e-l 

3.0e-l 

3.2e-l 






0.9 

1 day 

8.4e-l 

8.9e-l 

9. le-1 

0.9 

7 days 

8.4e-l 

8.9e-l 

9.1e-l 

0.9 

30 days 

8.5e-l 

8.9e-l 

9.2e-l 


Diag 

Level 

Regular 

Maint 

Period 

System 
replaced 
every 
1 year 

System 
replaced 
every 
2 years 

System 
replaced 
every 
5 years 

0.999 

1 day 

7.3e-4 

8. 7e-4 

1.0e-3 

0.999 

7 days 

2.4e-2 

2.5e-2 

2.6e-2 

0.999 

30 days 

3.0e-l 

3.0e-l 

3. le-1 






0.99 

1 day 

4.8e-3 

8.0e-3 

1.2e-2 

0.99 

7 days 

3.7e-2 

4.6e-2 

5.6e-2 

0.99 

30 days 

3.3e-l 

3.4e-l 

3.6e-l 






0.9 

1 day 

2.0e-l 

3.2e-l 

4.3e-l 

0.9 

7 days 

2.7e-l 

4.0e-l 

5.2e-l 

0.9 

30 days 

5.6e-l 

6.6e-l 

7.5e-l 


Table 17. Fourplex; X =le-4/hour; 8=10000/hour 


Diag 

Level 

Regular 

Maint 

Period 

System 
replaced 
every 
1 year 

System 
replaced 
every 
2 years 

System 
replaced 
every 
5 years 

0.999 

1 day 

1.8e-2 

2.2e-2 

2.4e-2 

0.999 

7 days 

2.7e-2 

3.1e-2 

3.3e-2 

0.999 

30 days 

1.5e-l 

1.5e-l 

1.6e-l 






0.99 

1 day 

1.7e-l 

2.0e-l 

2. le-1 

0.99 

7 days 

1.8e-l 

2.0e-l 

2.2e-l 

0.99 

30 days 

2.7e-l 

3.0e-l 

3.2e-l 






0.9 

1 day 

8.4e-l 

8.9e-l 

9. le-1 

0.9 

7 days 

8.4e-l 

8.9e-l 

9. le-1 

0.9 

30 days 

8.5e-l 

8.9e-l 

9.2e-l 


Table 19. Threeplex; >u=le- 5/hour 


Diag 

Level 

Regular 

Maint 

Period 

System 
replaced 
every 
1 year 

System 
replaced 
every 
2 years 

System 
replaced 
every 
5 years 

0.999 

1 day 

8.6e-4 

1.0e-3 

1.4e-3 

0.999 

7 days 

4.5e-3 

4. 7e-3 

5.1e-3 

0.999 

30 days 

1.8e-2 

1.8e-2 

1.9e-2 






0.99 

1 day 

2.7e-3 

4.5e-3 

8.3e-3 

0.99 

7 days 

6.4e-3 

8.1e-3 

1.2e-2 

0.99 

30 days 

2.0e-2 

2.1e-2 

2.5e-2 






0.9 

1 day 

2.1e-2 

3.8e-2 

7.4e-2 

0.9 

7 days 

2.4e-2 

4.1e-2 

7.7e-2 

0.9 

30 days 

3.6e-2 

5.2e-2 

8.8e-2 


Table 22. Fourplex; X=le-5/hour; 8=1000/hour 


Table 20. Pessimistic Double-Dual; X =le- 5/hour 


Diag 

Level 

Regular 

Maint 

Period 

System 
replaced 
every 
1 year 

System 
replaced 
every 
2 years 

System 
replaced 
every 
5 years 

0.999 

1 day 

l.le-3 

1.3e-3 

1.8e-3 

0.999 

7 days 

6.1e-3 

6.3e-3 

6.8e-3 

0.999 

30 days 

2.4e-2 

2.5e-2 

2.5e-2 






0.99 

1 day 

3.6e-3 

5.8e-3 

1.0e-2 

0.99 

7 days 

8.5e-3 

l.le-2 

1.5e-2 

0.99 

30 days 

2.7e-2 

2.9e-2 

3.3e-2 






0.9 

1 day 

2.9e-2 

5.0e-2 

9.1e-2 

0.9 

7 days 

3.3e-2 

5.4e-2 

9.5e-2 

0.9 

30 days 

4.8e-2 

6.9e-2 

l.le-1 


Diag 

Level 

Regular 

Maint 

Period 

System 
replaced 
every 
1 year 

System 
replaced 
every 
2 years 

System 
replaced 
every 
5 years 

0.999 

1 day 

4.1e-4 

7.3e-4 

1.3e-3 

0.999 

7 days 

4.1e-4 

7.4e-4 

1.3e-3 

0.999 

30 days 

5. 7 e-4 

8. 9 e-4 

1.5e-3 






0.99 

1 day 

4.0e-3 

7.3e-3 

1.3e-2 

0.99 

7 days 

4.0e-3 

7.3e-3 

1.3e-2 

0.99 

30 days 

4.1e-3 

7.3e-3 

1.4e-2 






0.9 

1 day 

3.9e-2 

7.0e-2 

1.2e-l 

0.9 

7 days 

3.9e-2 

7.0e-2 

1.2e-l 

0.9 

30 days 

3.9e-2 

6.8e-2 

1.3e-l 


Table 21. Optimistic Double-Dual; k =le-5/hour Table 23. Fourplex; I=le-5/hour; 5=10000/hour 


Diag 

Level 

Regular 

Maint 

Period 

System 
replaced 
every 
1 year 

System 
replaced 
every 
2 years 

System 
replaced 
every 
5 years 

0.999 

1 day 

4.1 e-4 

7.3e-4 

1.3e-3 

0.999 

7 days 

4.1 e-4 

7.4e-4 

1.4e-3 

0.999 

30 days 

5. 7 e-4 

8. 9 e-4 

1.5e-3 






0.99 

1 day 

4.0e-3 

7.3e-3 

1.3e-2 

0.99 

7 days 

4.0e-3 

7.3e-3 

1.3e-2 

0.99 

30 days 

4.1e-3 

7.3e-3 

1.4e-2 






0.9 

1 day 

3.9e-2 

7.0e-2 

1.2e-l 

0.9 

7 days 

3.9e-2 

7.0e-2 

1.2e-l 

0.9 

30 days 

3.9e-2 

6.8e-2 

1.3e-l 


Diag 

Level 

Regular 

Maint 

Period 

System 
replaced 
every 
1 year 

System 
replaced 
every 
2 years 

System 
replaced 
every 
5 years 

0.999 

1 day 

l.le-3 

1.3e-3 

1.8e-3 

0.999 

7 days 

6.1e-3 

6.3e-3 

6.8e-3 

0.999 

30 days 

2.4e-2 

2.5e-2 

2.5e-2 






0.99 

1 day 

3.6e-3 

5.7e-3 

1.0e-2 

0.99 

7 days 

8.5e-3 

l.le-2 

1.5e-2 

0.99 

30 days 

2.7e-2 

2.9e-2 

3.3e-2 






0.9 

1 day 

2.8e-2 

4.8e-2 

8.8e-2 

0.9 

7 days 

3.2e-2 

5.2e-2 

9.2e-2 

0.9 

30 days 

4.7e-2 

6.7e-2 

l.le-1 


Table 24. Fiveplex; /.= le-5/hour 


Diag 

Level 

Regular 

Maint 

Period 

System 
replaced 
every 
1 year 

System 
replaced 
every 
2 years 

System 
replaced 
every 
5 years 

0.999 

1 day 

8.3e-7 

1.2e-6 

2.6e-6 

0.999 

7 days 

2.6e-5 

2.8e-5 

3.3e-5 

0.999 

30 days 

4.4e-4 

4.5e-4 

4.8e-4 






0.99 

1 day 

9.0e-6 

2.6e-5 

1.0e-4 

0.99 

7 days 

4.8e-5 

8.0e-5 

1.9e-4 

0.99 

30 days 

5. le-4 

5.9e-4 

8. 7e-4 






0.9 

1 day 

6.0e-4 

2.0e-3 

8.8e-3 

0.9 

7 days 

7.6e-4 

2.3e-3 

9.4e-3 

0.9 

30 days 

1.6e-3 

3.5e-3 

1.2e-002 


Results for Preventive Maintenance 

An overall result is that there is very little gain 
when the component failure rate is le-4. Only for 
the fiveplex is there a gain, and this gain is small. 
The diagnostic level can drop to 99%, but daily 
regular-maintenance is required, and the system 
must be replaced every year or every two years. 

For the threeplex under daily regular- 
maintenance, the diagnostic level can drop to 99%, 
and the system can be replaced every one, two, or 
five years. For the threeplex under weekly regular- 
maintenance, the diagnostic level can drop to 99%, 
and the system can be replaced every one or two 
years. 

For a given diagnostic level, a double-dual 
does not perform as well as a threeplex, but it may 
be easier to obtain a high diagnostic level with a 
double-dual. 

For both fourplexes, the diagnostic level can 
drop to 99% and regular-maintenance can be 
reduced to monthly if the system is replaced within 
two years. An anomaly is that under daily regular- 
maintenance, it is sufficient to replace the threeplex 
but not the fourplexes within five years. 

For the fiveplex under daily or weekly 
maintenance, the diagnostic level can drop to 90% 


if the system is replaced within five years. For the 
fiveplex under monthly maintenance, the diagnostic 
level can drop to 90% if the system is replaced 
within two years. 

If a high diagnostic level is difficult to achieve 
or establish, then the fiveplex with high quality 
components and preventive maintenance is the 
system of choice. 

Summary 

Markov models were used to determine the 
component, system, and maintenance requirements 
needed to meet the reliability goal of a system 
operating continuously over a ten year period. The 
models were flexible enough to examine the effects 
of all these factors. 

In general, high reliability for a long period 
requires a combination of quality components, 
redundancy, good diagnostics, and frequent 
maintenance. Since a high diagnostic level is one 
of the more difficult goals to achieve, this study 
recommends high quality components and a 
sufficient amount of redundancy. 

This paper is an application of standard 
material [1,2]. The major difference is that the 
usual study of reliability only includes the period 
between maintenance checks [3,4], not the 
accumulation of faults over a long operating period. 
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